/*
* Windows creates a new ticket cache for primary NT tokens. This allows callers to create a dedicated cache for whatever they're doing
* that way the cache operations like purge or import don't polute the current users cache.
*
* To make this work we need to create a new NT token, which is only done during logon. We don't actually want Windows to validate the credentials
* so we tell it to treat the logon as `NewCredentials` which means Windows will just use those credentials as SSO credentials only.
*
* From there a new cache is created and any operations against the "current cache" such as SSPI ISC calls will hit this new cache.
* We then let callers import tickets into that cache using the krb-cred structure.
*
* When done the call to dispose will
* 1. Revert the impersonation context
* 2. Close the NT token handle
* 3. Close the Lsa Handle
*
* This destroys the cache and closes the logon session.
*
* For any operation that require native allocation and PtrToStructure copies we try and use the CryptoPool mechanism, which checks out a shared
* pool of memory to create a working for the current operation. On dispose it zeros the memory and returns it to the pool.
*/
private LsaInterop(LsaSafeHandle lsaHandle, string packageName = KerberosPackageName)
{
this.lsaHandle = lsaHandle;
var kerberosPackageName = new LSA_STRING
{
Buffer = packageName,
Length = (ushort)packageName.Length,
MaximumLength = (ushort)packageName.Length
};
var result = LsaLookupAuthenticationPackage(this.lsaHandle, ref kerberosPackageName, out this.selectedAuthPackage);
LsaThrowIfError(result);
var negotiatePackageName = new LSA_STRING
{
Buffer = NegotiatePackageName,
Length = (ushort)NegotiatePackageName.Length,
MaximumLength = (ushort)NegotiatePackageName.Length
};
result = LsaLookupAuthenticationPackage(this.lsaHandle, ref negotiatePackageName, out this.negotiateAuthPackage);
LsaThrowIfError(result);
}
public static unsafe extern int LsaCallAuthenticationPackage(
LsaSafeHandle LsaHandle,
int AuthenticationPackage,
void *ProtocolSubmitBuffer,
int SubmitBufferLength,
out LsaBufferSafeHandle ProtocolReturnBuffer,
out int ReturnBufferLength,
out int ProtocolStatus
);
public static extern int LsaLogonUser(
LsaSafeHandle LsaHandle,
ref LSA_STRING OriginName,
SECURITY_LOGON_TYPE LogonType,
int AuthenticationPackage,
void *AuthenticationInformation,
int AuthenticationInformationLength,
IntPtr LocalGroups,
ref TOKEN_SOURCE SourceContext,
out LsaBufferSafeHandle ProfileBuffer,
ref int ProfileBufferLength,
out LUID LogonId,
out LsaTokenSafeHandle Token,
out IntPtr Quotas,
out int SubStatus
);
public static extern int LsaLookupAuthenticationPackage(
LsaSafeHandle LsaHandle,
ref LSA_STRING PackageName,
out int AuthenticationPackage
);
public static extern int LsaRegisterLogonProcess(
ref LSA_STRING LogonProcessName,
out LsaSafeHandle LsaHandle,
out ulong SecurityMode
);
public static extern int LsaConnectUntrusted(
[Out] out LsaSafeHandle LsaHandle
);
